GlobalProtect Authentication fails with message "User is not in allow list"
7473
Created On 08/16/23 08:26 AM - Last Modified 08/23/24 20:52 PM
Symptom
- After the SAML authentication, the GP app with iOS devices gets stuck in the connecting state.
- It happens after disconnecting or restarting the GP app on all iOS devices.
- The authentication succeeds when domain is specified. Example 'domain\user1' succeeds whereas the username without domain 'user1' fails.
Environment
- Palo Alto Firewalls
- PAN-OS 10.2.x
- GlobalProtect (GP) App
- SAML Authentication
- iOS Devices
Cause
- In SAML authentication profile, the user is specified as 'domain\user1' instead of just the username, example "user1".
- This username is extracted from the cookie on GlobalProtect Portal and sent to GlobalProtect App to use for authentication.
- GlobalProtect Portal provides the username without domain to the GlobalProtect App.
- The username 'user1' is provided instead of 'domain\user1'.
- GP app uses it for cookie authentication, and it fails because the user is not listed in the Allow List in the SAML authentication profile.
Resolution
- The issue is fixed under PAN-226768 in PAN-OS 10.2.8, 11.0.4 and higher releases.
- Upgrade to the above versions will resolve the issue.
- Configure the username attribute in the IDP Server in UPN or email format.
- After Step1 of workaround, Use a different certificate for Cookie encrypt/decrypt for GlobalProtect Gateway "Authentication Override" setting in each agent config.
- The above step will invalidate old cookies and force a new SAML auth to generate a new cookie with the proper username to pass allow list check.